NSA Keeps Some Security Bugs Under Its Hat

The U.S. National Security Agency is getting a collective side-eye after posting what it characterized as proactive information: the fact that it discloses 91 percent of security vulnerabilities that pass through its internal review process.

While the agency appears pleased with its newfound transparency, it’s being called out en masse for the things it’s not reporting — primarily, the other 9 percent of vulnerabilities. In fact, the NSA’s revelations have raised far more questions than they’ve answered.

The disclosures came late last month in an infographic touting the way the agency’s security bug reporting practices.

Disclosing vulnerabilities usually makes sense, it reads, “but there are legitimate pros and cons to the decision to disclose vulnerabilities, and the tradeoffs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences.”

The NSA historically has leaned in favor of disclosure, and withholds information only if the information may be necessary to collect crucial foreign intelligence used to stop a terrorist attack, prevent the theft of intellectual property, or use the information to uncover even greater vulnerabilities, it said.

What’s Left Unsaid

However, what often is done with the information not disclosed is that the government leaves the unknowing party in the dark and then exploits the vulnerability for its own purposes, critics have charged.

By withholding information about the remaining 9 percent, the NSA has chosen not to notify the party best situated to fix the security flaw, said Jennifer Stisa Granick, director of civil liberties at the Stanford Center for the Internet and Society.

“They do this to enable intelligence agents to exploit these flaws for surveillance or to use them as weapons, as with Stuxnet,” she told TechNewsWorld. “As for the remaining 91 percent, it is not clear whether the NSA uses a subset of those vulnerabilities before it discloses them.

In the case of Stuxnet, the U.S. and Israel used the information to create a backdoor attack on industrial control systems in Iran, as part of an effort to disrupt suspected uranium enrichment programs being developed in that country.

Timing of the Matter

The timing of the infographic’s publication is another issue that has raised questions.

The Electronic Frontier Foundation last year filed suit to force the federal government to disclose the so-called Vulnerabilities Equities Process, which is used by the FBI, NSA and other agencies to determine whether to disclose vulnerabilities to various software developers or other entities, or to use those very vulnerabilities to carry out its own operation.

The massive Heartbleed bug discovered last year left millions of computer users vulnerable. Disclosures by former NSA contractor Edward Snowden, EFF and a number of other privacy advocates raised serious questions about whether the agency allowed that open wound to fester for two years while it exploited the security hole, only to deny knowledge of it.

The infographic happened to post the exact same day that government lawyers filed for summary judgment in the suit EFF brought regarding the VEP process, noted Andrew Crocker, staff attorney at EFF, although a direct connection cannot be established.

There have been reports that the National Security Council and Department of Homeland Security are taking a more active role in making sure there is a strong movement in favor of disclosure, he told TechNewsWorld, “but we’d like to see more transparency, such as public reporting about how the process works,” which is requested in the litigation, “as well as some way of understanding the volume, number of vulnerabilities the government handles, and even the budget devoted to it.”

Spit and Polish

On the other hand, the timing may be no more than an effort to remove some tarnish from the agency’s public image.

“The NSA has in recent years struggled from a public relations perspective; one can imagine that they would prefer that the discussion be focused on the 91 percent of exploits that they do report, and the — perhaps unexpected — indication that they adhere to the principle of sunlight being the most effective disinfectant,” observed GreatHorn CEO Kevin O’Brien.

It’s also significant that what the NSA is reporting — or not reporting, as the case may be — are vulnerabilities.

“Software exploits of this kind — unintentional issues that are researched and reported on — are a different kind from the more sophisticated types of cyberattack that lead to large breaches,” O’Brien told TechNewsWorld.

For example, exploits of trust go after comparatively soft targets — people — rather than systems and software, he pointed out.

“As a security professional, having the NSA allocating resources to finding these kinds of issues is comforting,” O’Brien said. “They’re a resource that, on many levels, has the best interests of United States and its national security in mind. Bluntly put, someone will find these exploits; I’d rather it be an agency which is aligned with our national security.”

The NSA may need to split its duties with a new security-related agency that can take the function of fixing vulnerabilities out of the hands of an entity that spends most of its time in the business of analyzing intelligence, suggested Kevin Krewell, principal analyst at Tirias Research.

“The NSA is conflicted on security issues,” he told TechNewsWorld. “On the one hand, it should be supporting more software security to protect the interests of the U.S.A. Yet on the other hand, security vulnerabilities are extremely important for their mission to gather information.

NSA officials did not respond to our request to comment for this story.